PT-2026-41173

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0 Description A Server-Side Request Forgery SSRF issue exists in the process picture url function within backend/open webui/utils/oauth.py. The function fetches URLs from OAuth picture claims without using the...

CVE-2026-34514

A flaw was found in AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python. A remote attacker, by manipulating the contenttype parameter, could inject additional HTTP headers. This could lead to unexpected behavior or bypass certain security measures within applications...

CVE-2025-69230

A flaw was found in aiohttp, an asynchronous HTTP client/server framework for asyncio and Python. A remote attacker can exploit this vulnerability by sending multiple specially crafted invalid cookies. This can trigger a storm of warning-level logs, leading to a Denial of Service DoS condition...

CVE-2025-69225

A flaw was found in aiohttp, an asynchronous HTTP client/server framework. The parser logic allows non-ASCII decimal characters in the HTTP Range header. This could potentially enable a remote attacker to exploit a request smuggling vulnerability, leading to the bypass of security controls or...

CVE-2025-69229

A flaw was found in aiohttp, an asynchronous HTTP client/server framework for asyncio and Python. An attacker can exploit this vulnerability by sending a large number of chunks in a message. This can lead to excessive blocking CPU usage when the application processes the request, potentially...

aiohttp: CRLF injection if user controls the HTTP method using aiohttp client

A flaw was found in Aiohttp. This issue may allow an attacker to send a crafted HTTP request to the server and smuggle arbitrary HTTP headers due to improper validation of HTTP requests during the processing of the HTTP request method. By exploiting this flaw, an attacker can manipulate HTTP...